13 matches found
CVE-2026-36214
osTicket versions from 1.10 up to 1.17.7 and from 1.18.0 up to 1.18.3 are vulnerable to a stored XSS due to a vulnerable Bootstrap Tooltip component and insufficient HTML sanitization, allowing remote attackers to execute arbitrary JavaScript in Agent or Admin sessions...
CVE-2026-36214
osTicket versions from 1.10 up to 1.17.7 and from 1.18.0 up to 1.18.3 are vulnerable to a stored XSS due to a vulnerable Bootstrap Tooltip component and insufficient HTML sanitization, allowing remote attackers to execute arbitrary JavaScript in Agent or Admin sessions...
CVE-2026-36214
CVE-2026-36214 — osTicket Stored XSS affects osTicket versions 1.10–1.17.7 and 1.18.0–1.18.3 due to a vulnerable Bootstrap Tooltip (3.3.4) and insufficient HTML sanitization. The attack stores a malicious JS payload in a ticket attachment and executes it when an Agent/Admin views the ticket, enab...
MAL-2026-3864 Malicious code in @antv/coord (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.2 contained security vulnerabilities. These vulnerabilities stemmed from the lack of enforceable write limits on the POST /sessions/:sessionKey/kill endpoint, allowing callers...
CVE-2026-32048
OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessionsspawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set ...
EUVD-2026-13943
OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessionsspawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set ...
CVE-2026-28482 OpenClaw < 2026.2.12 - Path Traversal via Unsanitized sessionId and sessionFile Parameters
OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to...
PT-2026-23557
OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to...
GoCD: Spring security configuration allows agent sessions to be hijacked
Summary ======= If agents have successfully logged in, then unauthenticated requests to /go/agent-websocket or /go/remoting/ will randomly succeed sometimes. Description ======== The deprecated X509ProcessingFilter apparently does not work without a HttpSessionContextIntegrationFilter earlier on...
CVE-2012-0062
Red Hat JBoss Operations Network JON before 2.4.2 and 3.0.x before 3.0.1 allows remote attackers to hijack agent sessions via an agent registration request without a security token...
CVE-2012-0062
Red Hat JBoss Operations Network JON before 2.4.2 and 3.0.x before 3.0.1 allows remote attackers to hijack agent sessions via an agent registration request without a security token...
CVE-2012-0062
Red Hat JBoss Operations Network (JBoss ON) is affected by CVE-2012-0062. Versions affected: JON before 2.4.2 and 3.0.x before 3.0.1. Root cause: an agent registration request could be processed without a valid security token. Impact: remote attackers can hijack an approved agent’s session and st...